DisplayControllerSkill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: display-controller Version: 1.0.3 The skill bundle instructs the AI agent to download and execute a remote binary (DisplayControlSkill.exe) from a GitHub repository via a PowerShell script (scripts/setup.ps1). This 'download and execute' pattern is a high-risk security practice as it introduces opaque, unverified code into the execution environment. While the stated purpose of monitor control is consistent with the provided commands, the reliance on an external binary from a third-party source (github.com/society2012/DisplayControlTool) without source-level verification constitutes a significant supply chain risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the release is compromised, replaced, or not the expected program, the skill could run arbitrary code on the user's machine.
The setup script downloads an executable from an external GitHub release, but the artifacts provide no checksum, signature verification, lockfile, or bundled source for that binary.
Invoke-WebRequest -Uri 'https://github.com/society2012/DisplayControlTool/releases/download/tag002/DisplayControlSkill.exe' -OutFile $exePath
Bundle reviewed code where possible, or require explicit user approval and verify the downloaded EXE with a pinned hash or trusted signature before execution.
The agent may download and run unreviewed local code as part of an ordinary monitor-control request.
The normal workflow tells the agent to install a missing executable and then execute it, but that executable is not included in the reviewed artifacts.
如果 `scripts/DisplayControlSkill.exe` 不存在,运行 `scripts/setup.ps1` ... 后续调用该 EXE 获取 JSON 输出。
Make the download and first execution user-confirmed, document the binary provenance, and verify integrity before running it.
A mistaken or autonomous call could dim a display or turn it off, which may confuse or interrupt the user.
The skill exposes commands that intentionally change display state, including turning a monitor off.
`set_monitor_power_off` | `<index>` | 关闭显示器
Ask for clear user intent before power-mode changes, especially commands that turn displays off or affect multiple monitors.